directory services - department of computer and ...tddi41/lectures/tddi41-f3.pdf · directory...
TRANSCRIPT
![Page 1: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/1.jpg)
Directory ServicesPRINCIPLES – NIS – LDAP – DNS
![Page 2: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/2.jpg)
Labs and deadlinesn AMD ->Intel n Just nu uppgraderar vi kernel
o Hoppas det löser interupts ->slött nätverkn Deadlines
o http://www.ida.liu.se/~TDDI41/timetable/index.en.shtmln Om jag glömmer (vilket jag gör) säg till mig om att lägga ut
föreläsningsslides
![Page 3: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/3.jpg)
What is a directory?Fundamental propertiesn Maps keys to valuesn Relatively frequent lookupsn Relatively infrequent updates
Examplesn Phone bookn Office directoryn User databasen List of contacts
![Page 4: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/4.jpg)
Directories in LinuxUser databasen /etc/passwd, /etc/shadowGroup databasen /etc/groupHost namesn /etc/hostsNetwork namesn /etc/networkProtocol namesn /etc/protocols
Service namesn /etc/servicesRPC program numbersn /etc/rpcKnown ethernet addressesn /etc/ethersAutomount mapsn /etc/auto.master
Standard implementation: local files
![Page 5: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/5.jpg)
The scalability problemExamplen 13000 users and 5000 hostsn Passwords valid for 30 daysn 50% of changes made at 8-10à One change every 28.8 secondsà Propagation time: 0.00567s
Problemsn Performance issuesn Hosts that are downn Other propagation failuresn Simultaneous updates
![Page 6: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/6.jpg)
What is a directory serviceA specialized databasen Attribute-value type informationn More reads than updatesn Consistency problems are sometimes OK
n No transactions or rollbackn Support for distribution and replicationn Clear patterns to searches
![Page 7: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/7.jpg)
Directory servicesComponentsn A data modeln A protocol for searchingn A protocol for readingn A protocol for updatingn Methods for replicationn Methods for distribution
Common directory servicesn DNSn X.500 Directory Servicen Network Information Servicen NIS+ n Active Directory (Windows NT)n NDS (Novell Directory Service)n LDAP (Lightweight X.500)
![Page 8: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/8.jpg)
Directory servicesGlobal directory servicen Context: entire network or entire
internetn Namespace: uniformn Distribution: usuallyn Examples: DNS, X.500, NIS+,
LDAP
Local directory servicen Context: intranet or smallern Namespace: non-uniformn Examples: NIS, local files
![Page 9: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/9.jpg)
Directory services in LinuxAlias: name servicesn /etc/nsswitch.conf selects servicen Several services per directoryn Modular design/implementation
Examples from /etc/nsswitch.confusers files,nisusers nis[notfound=return],fileshosts dns,files
![Page 10: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/10.jpg)
NIS, NIS+, LDAP
![Page 11: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/11.jpg)
Network Information ServiceDomain (NIS domain)n Systems administered with NISn No connection to DNS domain
NIS servern Server that has information
accessible through NISn Serves one or more domains
NIS clientn Host that uses NIS as a directory
service for something
ida.liu.se
fo.ida.liu.se
![Page 12: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/12.jpg)
NISProtocoln RPC basedn No securityn No updatesn Replication support
Replicationn Master/slave servers
Distributionn No distribution support!
Data modeln Directories known as mapsn Simple key-value mappingn Values have no structure
arjle 1001:adFrldonkn 1002:*:203johne 1003:trzQwalatu 2031:kprrTjohmc 2032:bRelZedwyo 2033:*:204ricst 2034:vvldkpetde 2232:*:204larwa 3021:*:204
passwd.byname
![Page 13: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/13.jpg)
NISMaster servern Maps built from text filesn Maps in /var/ypn Maps built with maken Maps stored in binary formn Replication to slaves with
yppush
Slave serversn Receive data from mastern Load balancing and failover
Processes/commandsn ypserv Server processn ypbind Client processn ypcatTo view mapsn ypmatch To search mapsn ypwhich Show statusn yppasswdd Change password
![Page 14: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/14.jpg)
NISNIS clientn Knows its NIS domainn Binds to a NIS server
Two optionsn Broadcastn Hard coded NIS-server
n ypbind
NIS Client Portmapper NIS Server
GETPORT
DOMAIN_NONACK
BIND
![Page 15: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/15.jpg)
NISScalability problemsn Flat namespacen No distribution
Security problemsn No access controln Broadcast for bindingn Patched as an afterthought
Primitive protocoln No updates
o Hack for password changen Search only on keyn Primitive data model
Solution: NIS+
![Page 16: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/16.jpg)
NIS+Scalabilityn Hierarchical namespacen Distributed administration
Securityn Authentication of server, client
and usern Access control on per-cell level
New protocoln Updates through NIS+n General searchesn Data model with real tables
So why is NIS+ not used?
![Page 17: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/17.jpg)
LDAPProtocoln TCP-basedn Fine-grained access controln Support for updatesn Flexible search protocol
Replicationn Replication is possible
Distributionn Distributed management is
possible
Data modeln Based on X.500n Object-orientedn Objects can be extended freelyn Attribute-based data modeln Hierarchical namespace
![Page 18: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/18.jpg)
Example of user
name passwd uid gid gecos home shelldavby *LK* 1211 1200 David /home/davby /bin/shfsmith 3x1231v76T89N 1329 1200 Fran /home/fsmith /bin/sh
NIS+ table ”passwd.org_dir.example.com”
davby davby:*:1211:1200:David:/home/davby:/bin/shfsmith fsmith:*:1329:1200:Fran:/home/fsmith:/bin/sh
NIS table passwd.byname (user name as key):
![Page 19: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/19.jpg)
Example of userdn: uid=fsmith,ou=employees,dc=example,dc=com objectclass: person objectclass: organizationalPersonobjectclass: inetOrgPersonuid: fsmithgivenname: Fran sn: Smith cn: Fran Smith cn: Frances Smith telephonenumber: 510-555-1234 roomnumber: 122G o: Example Corporation International mailRoutingAddress: [email protected] mailhost: mail.example.com userpassword: {crypt}3x1231v76T89N uidnumber: 1329 gidnumber: 1200 homedirectory: /home/fsmithloginshell: /bin/sh LDAP
![Page 20: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/20.jpg)
The futureLDAP is taking overn NIS is too insecure, doesn’t scale and is inflexiblen NIS+ is hard to implement and doesn’t exist on many OSesn X.500 is too complex and has a bad reputationn Other options have similar problems
![Page 21: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/21.jpg)
DNS
![Page 22: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/22.jpg)
DNS: Data modeln Functional: NAME à { TYPE à RDATA }n Relational: (NAME, TYPE, RDATA)
NAME TYPE RDATAida.liu.se A 130.236.177.25ida.liu.se MX 0 ida.liu.seida.liu.se NS ns.ida.liu.seida.liu.se NS ns1.liu.seida.liu.se NS ns2.liu.seida.liu.se NS nsauth.isy.liu.se
![Page 23: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/23.jpg)
DNS: TYPE & RDATATYPEn SOA – Start of authorityn NS – Name servern MX – Mail exchangern A – Addressn AAAA – IPv6 addressn PTR – Domain name pointern CNAME – Canonical namen TXT – Text
… and many more
RDATAn Binary data, hardcoded formatn TYPE determines format
![Page 24: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/24.jpg)
DNS: NamespaceNamesn Dot-separated parts
o one.part.after.another
FQDNn Fully Qualified Domain Namen Complete namen Always ends in a dot
Partial namen Suffix of name implicitn Does not end in a dot
Namespacen Global and hierarchical
<root>
com net org se
google ibm liuibm
tfkidawwwwwwwww
www
![Page 25: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/25.jpg)
DNS: ReplicationSecondary/slave
nameservern Indicated by NS RRn Data transfer with AXFR/IXFR
Questionsn How does a slave NS know
when there is new information?n How often should a slave NS
attempt to update?n How long is replicated data
valid?
Example
Rule of thumbn Every zone needs at least two
nameservers
sysi-00:~# host -t ns ida.liu.seida.liu.se NS nsauth.isy.liu.seida.liu.se NS ns.ida.liu.seida.liu.se NS ns1.liu.se
![Page 26: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/26.jpg)
DNS: DistributionDelegationn A NS can delegate
responsibility for a subtree to another NS
n Only entire subtrees can be delegated
Zonen The part of the namespace
that a NS is authoritative forn Defined by SOA and NS
Domainn A subtree of the namespace
<root>
com net org se
google ibm liuibm
tfkidawwwwwwwww
www.com domain
.se zone
![Page 27: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/27.jpg)
DNS: DelegationDelegating NSn NS record for delegated zonen A record (glue) for NS when
needed
Delegated-to NSn SOA record for the zone
Examplea.example.com NS ns2.x.com
b.x.com NS ns.b.x.comns.b.x.com A 10.1.2.3
b.x.com SOA (ns.b.x.comdns.x.com2004090900124H 2H 1W 2D)
![Page 28: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/28.jpg)
DNS: DelegationFormat of SOAn MNAME Master NSn RNAME Responsible
(email)n SERIAL Serial numbern REFRESH Refresh intervaln RETRY Retry intervaln MINIMUM TTL for negative
reply
SERIALn Increase for every updaten Date format common
o 2004090901
REFRESH/RETRYn How often secondary NS
updates the zone
MINIMUMn How long to cache
NXDOMAIN
![Page 29: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/29.jpg)
DNS: CacheingCacheing creates scalabilityn Cacheing reduces tree traversaln Cacheing of A and PTR reduce
duplicate DNS queries
Choosing good cacheparameters is vital
Cache parametersn TTL – Set per RRn Negative TTL – Set in
SOA
Example$TTL 4H SOA (
MNAME RNAMESERIAL REFRESH RETRY 1H )24H NS ns
ns 24H A 10.1.2.3
![Page 30: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/30.jpg)
DNS: The serverRecursive/iterativen Does the server offer recursion?n To which clients is it offered?
Authoritative/nonauthorit…
n Authoritative: first-handinformation
n Otherwise: cached information
Reviewn Recursive: the nameserver
gives a definite answer, but mayask other nameservers in order to generate it
n Iterative: the nameserver gives a definite answer only for locally known information; otherwise it generates a referral
![Page 31: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/31.jpg)
DNS: The clientClient requirementsn Use a recursive NS (resolver)n Use partially qualified names
Partially qualified namesn Add suffix if there are fewer
than n dots in the name (ndots)
Name server (resolver)n Specified in /etc/resolv.conf
Example: /etc/resolv.confsearch ida.liu.senameserver ns.ida.liu.sendots 2
APP libc
nss
libnss_dns.so
Resolver library Recursive NSIterative NS
Iterative NSIterative NS
Iterative NS
nsswitch.conf
resolv.conf
![Page 32: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/32.jpg)
DNS: Root Name ServerHandles the root zonen Data generated by ICANNn Data distributed by Verisignn Distribution from hidden master
Thirteen servicesn Some are anycastn Over 60 servers
Why no more than 13?
![Page 33: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/33.jpg)
Operator Locations A VeriSign Dulles VA B ISI Marina Del Rey CA C Cogent Communications Herndon VA; Los Angeles; New York City; Chicago D University of Maryland College Park MD E NASA Ames Mountain View CA F Internet Systems
Consortium, Inc. Ottawa; Palo Alto; San Jose, CA; New York City; San Francisco; Madrid; Hong Kong; Los Angeles; Rome; Auckland; Sao Paulo; Beijing; Seoul; Moscow; Taipei; Dubai; Paris; Singapore; Brisbane; Toronto; Monterrey; Lisbon; Johannesburg;Tel Aviv; Jakarta; Munich;
G U.S. DOD NIC Vienna VA H U.S. Army Research Lab Aberdeen MD I Autonomica/NORDUnet Stockholm; Helsinki; Milan; London; Geneva; Amsterdam; Oslo;
Bangkok; Hong Kong; Brussels; Frankfurt J VeriSign Global Registry
Services Dulles VA (2 locations); Mountain View CA; Seattle WA; Amsterdam; Atlanta GA; Los Angeles CA; Miami; Stockholm; London; Tokyo; Seoul; Singapore; Sterling VA (2 locations, standby)
K RIPE NCC London; Amsterdam; Frankfurt; Athens; Doha (Quatar)L ICANN Los Angeles M WIDE Project Tokyo; Seoul (KR); Paris (FR)
![Page 34: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/34.jpg)
DNS: CNAMECanonical namen Pointer within namespacen Johansson: See Johnson
CNAME Whoopsie 1www CNAME informatixwww A 130.236.177.12
CNAME Whoopsie 2ida.liu.se. NS ns.ida.liu.se.ns CNAME vitalstatistixvitalstatistix A 130.236.177.12
ida
www informatix
www.ida.liu.se CNAME informatix.ida.liu.se
![Page 35: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/35.jpg)
DNS: PTRAddress-to-name mappingn Same RR type for IPv4 och IPv6n ”A big reverse zone in the sky”
IPv4: in-addr.arpa.n Reverse address and add in-addr.arpa.n A.B.C.D à D.C.B.A.in-addr.arpa.n Same as any other name in DNS!
o Same lookup, cache etc.o CNAME works too
15.189.236.130.in-addr.arpa. PTR sysi-05.sysinst.ida.liu.se.
<root>
com arpa se
google ibm liu
tfkida
www
in-addr
0 130 255… …
0 236 255… …
0 189 255… …
0 15 255… …
![Page 36: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/36.jpg)
DNS: Delegation in in-addr.arpa.Delegationn Delegering of entire subtreesn Subtrees at each dotn In in-addr.arpa a dot after each octet of the address
Q: How to delegate partial subtrees corresponding to small subnets, e.g. 10.17.1.0/26?
A: Use CNAME to create a new zone that can be delegated!
A: Delegate each address as a separate zone
10
17
1
0 63…1 2 3 4 5
$GENERATE 1-63 $ CNAME $.rv4.sysinst.ida.liu.se.
se
liu
ida
sysinst
rv4
0 63…1 2 3 4 5
arpa
in-addr
<root>
![Page 37: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/37.jpg)
DNS: The protocolTCP or UDPn Normally UDP port 53n TCP if the reply is too large
DNS packetn Header section Flags etc.n Query section Queries to the servern Answer section Replies to the queriesn Authority section Referrals to other NSn Additional section Extra data that may be useful (e.g. glue)
![Page 38: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/38.jpg)
DNS: The protocolHeader section: flagsn QR Query or responsen OPCODE Type of quern AA Authoritative Answern TC TrunCationn RD Recursion Desiredn RA Recursion Availablen Z Reservedn RCODE Result code
Flagsn Set RD for recursive quern If AA is not set, reply is from
cachen If TC it set, the reply is too large
for UDP
RCODEn SERVFAIL Problem with NSn NXDOMAIN No such namen REFUSED Refuse to reply
![Page 39: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/39.jpg)
DNS: The protocolQuestion sectionn Contains questionsn Also included in reply
Answer sectionn Contains requested RRsn Empty in referral replies
Authority sectionn Indicates authoritative NSn Never empty in referrals
Additional sectionn RR related to response, but not
part of responsen E.g. A for NS in authority
section
![Page 40: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/40.jpg)
sysi-00:~# dig www.ida.liu.se @a.ns.se; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @a.ns.se;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7059;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:;www.ida.liu.se. IN A
;; AUTHORITY SECTION:liu.se. 86400 IN NS ns2.liu.se.liu.se. 86400 IN NS sunic.sunet.se.liu.se. 86400 IN NS nsauth.isy.liu.se.liu.se. 86400 IN NS ns1.liu.se.
;; ADDITIONAL SECTION:ns1.liu.se. 86400 IN A 130.236.6.251ns2.liu.se. 86400 IN A 130.236.6.243sunic.sunet.se. 86400 IN A 192.36.125.2nsauth.isy.liu.se. 86400 IN A 130.236.48.9
![Page 41: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/41.jpg)
sysi-00:~# dig www.ida.liu.se @nsauth.isy.liu.se; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @nsauth.isy.liu.se;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49836;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:;www.ida.liu.se. IN A
;; ANSWER SECTION:www.ida.liu.se. 259200 IN CNAME informatix.ida.liu.se.informatix.ida.liu.se. 259200 IN A 130.236.177.26
;; AUTHORITY SECTION:ida.liu.se. 259200 IN NS ns1.liu.se.ida.liu.se. 259200 IN NS ns2.liu.se.ida.liu.se. 259200 IN NS nsauth.isy.liu.se.ida.liu.se. 259200 IN NS ns.ida.liu.se.
;; ADDITIONAL SECTION:ns.ida.liu.se. 259200 IN A 130.236.177.25ns1.liu.se. 43200 IN A 130.236.6.251ns2.liu.se. 43200 IN A 130.236.6.243nsauth.isy.liu.se. 21600 IN A 130.236.48.9
![Page 42: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/42.jpg)
sysi-00:~# dig www.ibm.com @ns.ida.liu.se; <<>> DiG 9.2.4rc5 <<>> www.ibm.com @ns.ida.liu.se;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38042;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:;www.ibm.com. IN A
;; ANSWER SECTION:www.ibm.com. 1800 IN A 129.42.21.99www.ibm.com. 1800 IN A 129.42.16.99www.ibm.com. 1800 IN A 129.42.17.99www.ibm.com. 1800 IN A 129.42.18.99
;; AUTHORITY SECTION:ibm.com. 600 IN NS ns.austin.ibm.com.ibm.com. 600 IN NS ns.watson.ibm.com.ibm.com. 600 IN NS ns.almaden.ibm.com.
;; ADDITIONAL SECTION:ns.austin.ibm.com. 70372 IN A 192.35.232.34ns.watson.ibm.com. 92202 IN A 129.34.20.80ns.almaden.ibm.com. 70372 IN A 198.4.83.35
![Page 43: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/43.jpg)
DNS: Commandsnslookupn Look up names
hostn Look up data in DNS
dign Look up data in DNSn Full access to protocol
whoisn Information about who has registered a domainn Many versions – jwhois is nice
![Page 44: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/44.jpg)
DNS: Server typesMastern Source of DNS datan Authoritative for zone
Secondaryn Authoritative for zone
Forwardern Cache onlyn Forwards queries
Recursive-onlyn Performs recursive queries
![Page 45: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/45.jpg)
DNS: Server architecture
Forwarder
Forwarder Recursive
Slaves
Master
Administrator
Clients
Clients
Firewall
![Page 46: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/46.jpg)
Zone configuration in BINDFilesn named.confn Zone files
In Debian: /etc/bindn named.confn named.conf.localn named.conf.optionsn Zones.rfc1812n db.0n db.127n db.emptyn db.localn db.root
![Page 47: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/47.jpg)
named.confZone definition (master)
zone ”sysinst.ida.liu.se” {type master;file ”/etc/bind/sysinst.zone”;
}
Other stuffn Optionsn Access control
Optionsn Who can query the servern Who can update the servern Which ports to usen Which address to use
… and so on
![Page 48: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/48.jpg)
$TTL 3600
@ IN SOA (sysinst-gw.ida.liu.se.davby.ida.liu.se.2006083100 ; Serial3600 ; Refresh 1h1800 ; Retry 30min604800 ; Expire3600 ; TTL)
IN NS sysinst-gw.ida.liu.se.IN NS ns.ida.liu.se.
IN MX 10 ida-gw.sysinst.ida.liu.se.
ida-gw IN A 130.236.189.1debian IN CNAME ida-gwheretix IN A 130.236.189.62
$GENERATE 0-16 sysi-${0,2,d} A 130.236.189.${10,,d}$GENERATE 1-8 a$-gw A 130.236.189.${29,,d}$GENERATE 1-8 b$-gw A 130.236.189.${37,,d}$GENERATE 1-8 c$-gw A 130.236.189.${45,,d}
![Page 49: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/49.jpg)
More stuff in BINDn Views
n Dynamic update
n DNSSEC
![Page 50: Directory Services - Department of Computer and ...TDDI41/lectures/TDDI41-F3.pdf · Directory services Components n A data model ... LDAP Local directory service n Context: intranet](https://reader031.vdocuments.pub/reader031/viewer/2022020316/5b7b426d7f8b9a004b8c5131/html5/thumbnails/50.jpg)
Directory Service SummaryPropertiesn Search-optimized databasen Attribute-based datan Distributed management for
scalabilityn Replication for performance and
reliabilityn Search protocoln Update protocol
Common directory servicesn DNS – Host names etc.n NIS/NIS+ – Replace local filesn LDAP – General directory
service